“Good Security Governance” is not a Piece of Useless Consultant Jargon
It is an essential protective layer for any organisation.
Irrespective of what many of us may say or write, the cyber security agenda remains dominated by products and technology.
Of course, the problem has a technical dimension and the protection of any firm against cyber threats will require the application of technical countermeasures at a number of levels.
But there are countless tech vendors and service providers out there trying to sell their products as the silver bullet which will protect you from anything. And countless small firms still holding simplistic views on cyber threats: “We’re fine; all our data is in the cloud”
For any organisation above a certain size, effective and efficient protection can only result from the layered application of protective measures at people, process and technology level. And in that order.
It has to start with people. And that doesn’t mean rolling out a security awareness programme. Middle management has always had the tendency to jump straight into the solution space at the back of a simplistic analysis of the problem, but at the heart of the “people” aspects of any security strategy, lay issues of corporate culture and corporate governance.
“Good security governance” is not a piece of useless consultant jargon. It is an essential protective layer for any organisation.
It ensures a visible endorsement of security values from the top down, brings clarity around security roles, responsibilities and accountabilities across the whole organisation, and more importantly, it is the cornerstone that “get things done” around security through an effective and efficient layer of reporting.
Only the actual execution of security measures (i.e. the actual deployment of security processes and the technology required to support them) will protect the business. And that’s where many organisations – larger and smaller – have failed over the past decades in spite of colossal investments in cyber security: Security projects get deprioritised half way through or focus only on non-existent low hanging fruits; over time, people get demotivated and leave, nothing gets finished and half-baked “solutions” proliferate: According to a recent survey by Cisco, the average organisation now uses 20 different security technologies.
Let’s get this straight: This is plain governance failure and it has been plaguing organisations – large and small – around security for the best part of the last two decades.
To avoid those mistakes, break that spiral, and target the management and governance roadblocks which have prevented progress in the past, most organisations need to act at three levels:
First, get a good understanding of your security maturity posture to start with and set realistic timeframes around change. Change takes “the time it takes” and there may be no quick wins.
Then, be objective about the skills and resources you have to deliver change and set realistic improvement goals. Jumping straight at ineffective “virtual CISO” solutions in the hope of making the problem disappear will not help if nobody is there to execute.
Finally, stay focused. Security transformation often involves a change in mindset which needs stability to develop and takes time to set in. Changing directions or priorities every time something happens in the business or elsewhere will simply kill any transformational momentum around security.